Login status is failed

Question

1.00/5 (1 vote)

See more:

I have written login application using session in c# asp.net .
but instead of going to the welcome page. the message is "login of the user sa is failed".
THe businesss logic behind the home.aspx:

C#

try
        {
            conn = new SqlConnection("Data Source=LENOVO;Initial Catalog=sample;User ID=sa;Password=***********");
            conn.Open();
            Response.Write("connection to databaase is established");
            String query = "select count(*) from tblRegister where name='" + txtuser.Text + "'and Password'" + txtpass.Text + "'";
            cmd = new SqlCommand(query, conn);
            String output = cmd.ExecuteScalar().ToString();
            if (output == "1")
            {
                Session["user"] = txtuser.Text;
                Response.Redirect("~/Welcome.aspx");
            }
            else
            {
                Response.Write("Login failed");

            }
        }
        catch (Exception ex)
        {
            Response.Write("sorry" + ex.Message + "\n");
            Response.Write(ex.HelpLink);
            //Response.Write(ex.InnerException);
        }
        finally
        {
            conn.Close();
            Response.Write("Connection closed");
        }
    }
}

What I have tried:

I have tried this:

String query = "select * from tblRegister where name='" + txtuser.Text + "'and Password'" + txtpass.Text + "'";

Posted 4-Jun-18 19:34pm

tusharkaushik

Updated 5-Jun-18 20:50pm

Blutfaust

v2

Add a Solution

Comments

tusharkaushik 5-Jun-18 2:27am

I have tried but result is still null

Richard Deeming 6-Jun-18 9:34am

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Richard Deeming 6-Jun-18 9:34am

NEVER store passwords in plain text.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Richard Deeming 6-Jun-18 9:34am

And why are you re-inventing the wheel? ASP.NET has several perfectly good authentication systems built-in - for example, ASP.NET Identity[^]

Richard Deeming 6-Jun-18 9:38am

Oh, and I almost forgot: applications should NEVER* connect to the database as sa. That is an unrestricted account which could be used to destroy your database, your server, or even your network (depending on how SQL is configured).

Use a specific SQL user which has only the permissions required by your application.

* The only exception would be an application designed to replicate parts of SQL Server Management Studio, which should obviously be locked down as tightly as possible. And even then, I'd still recommend using a specific account in the sysadmin role, rather than the sa account.

4 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Patrice T · Accepted Answer · 2018-06-05T09:00:00

C#

String query = "select count(*) from tblRegister where name='" + txtuser.Text + "'and Password'" + txtpass.Text + "'";

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]

Chander Parkash Mourya · Accepted Answer · 2018-06-04T19:51:00

Solution 1

Hi,

I checked your database query and found some issue so try below query for this-

C#

String query = "select * from tblRegister where name='" + txtuser.Text + "'and Password = '" + txtpass.Text + "'";

You have missed equal (=) sign after Password field.

Posted 4-Jun-18 19:51pm

Chander Parkash Mourya

F-ES Sitecore · Accepted Answer · 2018-06-05T00:54:00

Solution 2

Your connection string

Data Source=LENOVO;Initial Catalog=sample;User ID=sa;Password=***********

isn't valid. The password isn't valid for the sa account, we can't tell you why as we have no access to your database, you'll need to work that out yourself.

Posted 5-Jun-18 0:54am

F-ES Sitecore

Comments

tusharkaushik 5-Jun-18 7:55am

but i have to sign in with credentials that are stored in the tblregister table in the sample database

Member 11291923 · Accepted Answer · 2018-06-05T20:52:00

Solution 4

1.Check your database connection.
web config file

<add name="CONNECT" connectionString="Data Source=TIS3-PC;Initial Catalog=Cashew;User Id=sa;Password=1234;" providerName="Sql.Data.SqlClient"/>

C#

SqlConnection cs = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["CONNECT"].ConnectionString);

Posted 5-Jun-18 20:52pm

Member 11291923

Comments

tusharkaushik 14-Jun-18 23:01pm

Sir i have modified code :
NOw this is my code :

protected void btnInput_Click(object sender, EventArgs e)
{
try
{
conn = new SqlConnection("Data Source=LENOVO;Initial Catalog=sample;User ID=sa;Password=***********");

Response.Write("connection to databaase is established");
string query = "select email_ID,pswd from LogIn where email_ID=@email_ID and pswd=@pswd";
cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@email_ID", txtuser.Text);
cmd.Parameters.AddWithValue("@pswd", txtpass.Text);
sda = new SqlDataAdapter(cmd);
dt = new DataTable();
sda.Fill(dt);
conn.Open();
if (dt.Rows.Count > 0)
{
Session["id"] = txtuser.Text;
Response.Redirect("welcome.aspx");
Session.RemoveAll();
}
else
{
lblmessage.Text = "Invalid username or password is incorrect";
lblmessage.ForeColor = System.Drawing.Color.Red;

}
}
catch(Exception ex)
{
Response.Write("connection problem \n" + ex.Message);
Response.Write("Source of exception is"+ ex.Source);

}

when i set my breakpoint on select query it shows that query is null

Login status is failed

4 solutions

Solution 3

Solution 1

Solution 2

Solution 4

Add your solution here

Preview 0

Existing Members

...or Join us